Skip to main content

Threat Model Delta Template

Ticket / Issue ID: #### Feature / Change: Short title

1. Summary

One-sentence description of why this change affects the threat model.

2. New or Changed Assets

List any new assets introduced or existing ones that have changed:

Example: New API endpoint /join (accepts signed invites)
Example: Added persistent cache for session tokens

3. New Trust Boundaries

Describe any new boundaries between systems or components:

Example: CIVITAS/CORE ↔ external OIDC
Example: Plugin sandbox ↔ core runtime

4. New or Changed Threats

Threat ID	Description	Likelihood	Impact	Mitigation
FED-001	Replay attack on join request	Medium	High	Nonce in request, short expiry, mutual TLS

5. Retired Threats

List threats from the old model that no longer apply and why:

Example: Old identity provider removed, XXE risk retired.

6. Updated Mitigations

Example: Switched token signing from HS256 → ES256 (better key management)
Example: Added rate limiting on /join to prevent brute-force

1. Summary
2. New or Changed Assets
3. New Trust Boundaries
4. New or Changed Threats
5. Retired Threats
6. Updated Mitigations